ESET Online Help

Search
Select the category
Select the topic

Incidents

The Incident management system has multiple tools, including commenting and editing incident attributes.

You can create new incidents in Computers, Detections, and Executables details.

Incidents inspected by an ESET Services Representative (ESR) will have the new flag Investigated by ESET added after the incident's name.

Filtering, Tags and Table options

Use filters at the top of the screen to refine the displayed items. Tags are powerful when searching for a specific computer, detection, incident, executable or script. Click the gear gear_icon icon for table options to manage the main table.

Choose an option to create a new incident or add the detection to an existing incident.

Create incident—Redirects the user to the wizard window.

Add to current incident—Add elements to the current incident.

Add to recent incident—Add elements to one of the last three incidents.

Select incident to add to—Add elements to the selected incident.

incident_statuses

Incident severity

Low severity

Medium severity

High severity

Incident statuses

Open—The report is open or reopened by a security administrator or other user.

In-progress—The report is in progress and currently being investigated.

On Hold—The report is on hold and waiting for inputs from the report analysis.

Resolved—The report is resolved and waiting for closure.

Closed—The report is closed.

Invalid—The report is invalid.

Select an incident to open the information window, which consists of the following parts:

Timeline

The timeline shows Incident change information. The upper part shows information regarding the Status, Severity, Assigned user, number of Detections, Executables, Computers, Processes and Tags, if present, added to the report. Anything related is displayed in the Details tab based on the selected object. Click Details to get to the object's Details page (based on type, computer, detection and process).

Incident—Comprehensive details about the incident.

Details—Comprehensive details about the object.

Process Tree—The process tree related to the process.

Related objects—List of related objects to the incident.

ESET AI Advisor

ESET AI Advisor is an LLM tool that assists with incidents created by Incident Creator or provides detection details. It references the selected incident, its elements, and all objects managed by ESET Inspect Web Console.

note

ESET AI Advisor is available only in the cloud version of ESET Inspect and only with the ESET MDR Ultimate protection tier.

Ask ESET AI Advisor for help with the selected incident. Here are some example questions:

oSummarize the incident.

oSummarize the incident with attack chain steps in bullet points.

oProvide more information about (specific detection).

oProvide details about (specific program) installation.

oWhat techniques did the adversary use in this incident?

oWhat techniques did the adversary use (for example, credential access/persistence)?

oAdvice on resolving this incident.

important

Conversation with the ESET AI Advisor is currently limited by the number of questions per day for all user accounts of one ESET Inspect Web Console. An error message will notify you when the limit is reached. The limit resets daily at midnight UTC.

note

Remember, ESET AI Advisor is mainly for helping with incidents inside ESET Inspect.

While it supports your ESET Inspect Web Console language, we recommend using English for the best results.

Incident graph

Detections

If the report contains detections, they are shown here. You will find the same options to work with detections as the Detections tab, except for a Remove button, which allows users to remove selected detections from the report.

Computers

If the report contains any computers, they are shown here. You will find the same options to work with detections as the Computers tab, except for a Remove button, which allows users to remove selected computers from the report.

Executables

If the report contains executables, they are shown here. You will find the same options to work with executables as the Executables tab, except for a Remove button, which allows users to remove selected executables from the report.

Processes

If the report contains any processes, they are shown in this tab. You can remove selected processes from the report.

Click an incident name to take further actions:

Details—Go to incident details tab.

Make current incident—Indicate a current incident by highlighting it blue.

Assign—Assign the report to a specific user for investigation.

Progress—Change the progress state of selected incident.

oStart progress—Change the report status to “In progress”.

oOn hold—Change the report status to “On hold”.

oResolve—Change the report status to “Resolved”.

oClose—Change the report status to “Closed”.

oReopen—Reopen the report for reinvestigation.

oInvalid—Change the report status to “Invalid”.

oDelete incident—Delete the incident.

Access groupDisplays the currently assigned access group. Click Move to reassign access group.

Tags—Assign tags to an incident from the existing list or create new custom tags.

Filter—Show quick filters on the column where you activated the context menu (Show only this, Hide this).

 

Threat indicators—Display threat indicators in the timeline if checked.

Behaviours—Show threat behaviors in the timeline if checked.

Analyst actions—List analyst actions in the timeline if checked.